Description
A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the exec function of the Rapids setproperty primitive handler in h2oAI's h2o-3 engine. It allows an attacker to manipulate property-setting behavior, bypassing the intended access controls. This can enable unauthorized modification of system properties or configuration, potentially leading to unauthorized actions or privilege escalation.

Affected Systems

Vendor h2oAI and product h2o-3 are affected. Any instance of h2o-3 with a version equal to or lower than 7402 is vulnerable. No additional versions are specified.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. An EPSS score of < 1% suggests a very low likelihood of exploitation in the general population, though the vulnerability remains publicly exploitable. The issue is not listed in CISA KEV. Remote attackers can exploit the flaw, potentially altering system properties to gain elevated privileges or compromise integrity, especially in environments exposed to untrusted networks.

Generated by OpenCVE AI on May 19, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a version newer than 7402 as soon as it becomes available.
  • Restrict inbound access to the h2o‑3 service from untrusted networks using firewall rules or network segmentation.
  • Implement strict validation of property keys and values, and monitor logs for abnormal SetProperty usage.

Generated by OpenCVE AI on May 19, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared H2o
H2o h2o
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:h2o:h2o:*:*:*:*:*:*:*:*
Vendors & Products H2o
H2o h2o

Mon, 18 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 17 May 2026 12:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title h2oai h2o-3 Rapids setproperty Primitive AstSetProperty.java exec access control
First Time appeared H2oai
H2oai h2o-3
Weaknesses CWE-266
CWE-284
CPEs cpe:2.3:a:h2oai:h2o-3:*:*:*:*:*:*:*:*
Vendors & Products H2oai
H2oai h2o-3
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

H2o H2o
H2oai H2o-3
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-18T14:39:10.246Z

Reserved: 2026-05-16T16:20:47.483Z

Link: CVE-2026-8752

cve-icon Vulnrichment

Updated: 2026-05-18T14:39:05.498Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-17T12:16:43.330

Modified: 2026-05-19T17:44:01.197

Link: CVE-2026-8752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T19:00:12Z

Weaknesses